RESEARCH Open Access Secure ubiquitous authentication ... · Keywords: RFID, security, authentication protocol, ubiquitous, hash address 1. Introduction Radio frequency identification

RESEARCH Open Access

Secure ubiquitous authentication protocols forRFID systemsMd Monzur Morshed*, Anthony Atkins and Hongnian Yu

Abstract

In this article, the possible privacy and security threats to the radio frequency identification (RFID) systems areinvestigated and new authentication protocols are proposed which provide the identified privacy and security in avery efficient manner for a ubiquitous computing environment. The approach utilizes the concepts of two verydifferent, widely known RFID protocols, i.e. the “low-cost authentication protocol (LCAP)” approach and the “one-way hash-based LCAP “ approach. The resulting protocols combine the advantages of both protocols andeliminate the problems from these. The approaches are evaluated using a variety of criteria that are relevant inpractice. The proposed protocols use random numbers and a hash function to encrypt the key to protect the RFIDsystem from the adversary attacks. The hash value is used as a hash address to reduce the search time to locatethe tag in the database from a large number of records. A simulation experiment is conducted to verify some ofthe privacy and security properties of the proposed protocols.

Keywords: RFID, security, authentication protocol, ubiquitous, hash address

1. IntroductionRadio frequency identification (RFID) tags emerge as thesuccessor of barcodes and are used in many applicationssuch as in automation of automobiles, animal tracking,highway toll collection and supply-chain management[1]. An RFID tag has some advantages over an opticalbarcode that makes it more suitable in automation. Abarcode indicates the type of the object on which it isprinted but the RFID tag gives a unique serial numberthat distinguishes the object uniquely from many millionsof similar types of products. Another advantage of anRFID tag is that it does not require line-of-sight contactwith the readers as in optical barcodes. RFID is a technol-ogy to identify objects or people automatically [2]. AnRFID system consists of three components: tag, readerand back-end database [3]. It is a small and extremelylow-priced device consists of a microchip with very lim-ited functionality and data storage and an antenna forwireless communication with readers. An RFID tag canbe passive or active depending on the powering techni-que. In general, passive tags are inexpensive. They haveno on-board power; they get power from the signal of the

interrogating reader. Active tags contain batteries topower their transmission. RFID readers with antennasare devices used to read or write data from or to theRFID tags. The readers send query to a tag to obtaininformation from the tag. The database stores the infor-mation about the tags and the readers [4].The RFID tag in the form of electronic product code

(EPC) tag is the most popular standard and is specified byan organization called EPCglobal Inc. [5]. An EPC tag tra-ditionally contains some information such as a producttype identifier, a manufacturer identifier and a uniqueserial number those are exposed to the reader. Thisunique serial number works as a unique identifier (ID).Due to this unique serial number in an RFID tag, it is pos-sible to track the tag uniquely. Due to this, the informationin an RFID system is vulnerable to unauthorized readers.An RFID system is vulnerable to various attacks such aseavesdropping, traffic analysis, spoofing and denial of ser-vice. These attacks may reveal sensitive information oftags and hence break a person’s privacy. Another type ofprivacy violation is traceability which establishes a relationbetween a person and a tag. If a link can be establishedbetween a person and the tag, the tracing of the tag makesthe tracing of the person possible [1]. To protect the priv-acy in an RFID system, a tag needs to authenticate a

* Correspondence: [email protected] of Computing, Engineering and Technology, Staffordshire University,Stafford, UK

Morshed et al. EURASIP Journal on Wireless Communications and Networking 2012, 2012:93http://jwcn.eurasipjournals.com/content/2012/1/93

© 2012 Morshed et al; licensee Springer. This is an Open Access article distributed under the terms of the Creative CommonsAttribution License (http://creativecommons.org/licenses/by/2.0), which permits unrestricted use, distribution, and reproduction inany medium, provided the original work is properly cited.

mailto:[email protected]

http://creativecommons.org/licenses/by/2.0

reader. However, it is infeasible to use conventional cryp-tography in a passive RFID tag due to its extremely limitedprocessing and memory limitations. A typical RFID systemis shown in Figure 1.The objective of the article is to propose new efficient

and effective protocols to address these issues for RFIDsystems in ubiquitous computing environment. The proto-cols are based on the challenge-response method using aone-way hash function, a static identifier and two randomnumbers in the RFID systems. The purpose of the hashfunction is to give a one-way hash result so that an adver-sary cannot extract the input from the output. The valueof the hash function is also used as a hash address for thetags in the database. The purpose of the random numbersis to make the response anonymous. This protocol pro-tects the privacy and security of RFID systems of the issuesoutlined above.The rest of the article is organized as follows. In Section

2, the privacy and security model in RFID system is dis-cussed. Also the performance criteria of the RFID systemsare discussed in this section. Section 3 contains the relatedstudies. In Section 4, contributions and protocols are pre-sented. Section 5 outlined the privacy, security and effi-ciency analysis for evaluation of our protocols. Section 6describes the simulation result and evaluation. Section 7concludes the article citing major contributions.

2. Privacy and security in RFID systemsThe privacy and security objective in RFID system is toprotect the communication between the reader and the

tag from various attacks. We identify the following priv-acy and security issues:• Information leakage: In a typical RFID system, a

tag has a unique identifier that is transmitted to thereader. So it can easily be identified with this uniqueserial number. Due to this unique serial number, theinformation in it is vulnerable to an adversary. For theprotection from information leakage, an RFID systemneeds to provide privacy control so that unauthorizedreaders cannot access the tags.• Traceability and location privacy: If the response

of a tag can be linked to the tag then the location ofthe tag can be tracked. If a tag transmits a staticresponse to a reader, an adversary can distinguish itfrom other responses. If the responses from the tagsare anonymous, then the tracking problem can beavoided.• Impersonation and replay attack: An adversary can

query to a tag or a reader and can impersonate the tagor the reader. If an adversary can collect the informationduring communication from the tag and the reader theycan impersonate the tag to explore more information.An adversary can use this information and replay in thefuture.• Denial of service (DoS): An adversary may disrupt

the communication between a valid reader and a tag. Ifthe adversary can successfully block the transmission itcan cause the server and the tag to lose synchronization.The RFID system should be able to handle this to keepthe synchronization of the tag and the reader.

Figure 1 A typical RFID system.


Page 2 of 13

3. Related studiesThere are many approaches for the privacy and securityof the RFID systems. Sharma et al. [6] mentioned aboutthe resource constrained in an RFID tag as a main chal-lenge to provide privacy and security. The first approachtowards the privacy and security of an RFID tag is to kill[7] the tag at the point of sale. Due to various reasons forwhich killing a tag is not expected because consumermay wish to reuse the tag. Weis et el. [8] proposed ahash-based access control (HAC) approach to protect atag using a one-way hash function. To do it, the tagstores the hash of a random key as a metaID. Since themetaID is same for a tag all the times, it always transmitsthe same metaID, which can easily be tracked by anadversary [9]. Another problem in this system is that theinformation is transmitted in plain text which can easilybe eavesdropped. Weis et al. [8] also suggested anotherapproach that is extended from HAC called randomizedaccess control [8]. It uses a random number to preventlocation privacy. In each session, the tag produces aresponse with newly generated random number and itsID using a hash function. It cannot protect the systemfrom replay attack and is not suitable in a real-life systemwhere a large number of tags are used as it requiresmany expensive hash operations at the back-enddatabase.To protect location privacy several protocols use hash

function of varied identifier or varied secret [9-13]. Chienand Chen [9] proposed a challenge-response-basedauthentication protocol to prevent replay attack. This pro-tocol uses a database in the server which maintains newand old tag keys to protect DoS attack. To prevent trace-ability, authentication and access keys are updated. How-ever, this scheme is still vulnerable to backward andforward traceability because if an active attacker compro-mise a tag this can identify the tag’s past interactions fromprevious transactions and the fixed ID of the tag and candeduce the future transaction. Ohkubo et al. [10] proposedan RFID privacy scheme using a hash chain (HC) mechan-ism. This method uses two hash functions to protect theprivacy and security. It is also not suitable in practical usebecause the back-end database requires a large number ofHCs. Henrici et al. [11] proposed a scheme referred to thehash-based ID variation scheme (HIDV). It uses a one-wayhash function to protect location privacy by changing theID after each session. However, if any authenticationsession is unsuccessful it replies with the same hashed IDagain for which it opens up the vulnerability for imperso-nation attack such as spoofing. Lee et al. [12] proposed alow-cost authentication protocol (LCAP) which simplifiesand enhances HIDV scheme in both efficiency and secur-ity. It has the similar problem as in HIDV that a tag alwaysreplies with the same hashed ID before the next successful

authentication which allows tag tracking. Dimitriou [13]proposed an RFID authentication scheme that preservesuser privacy and also protects against tag cloning. Thisprotocol uses the hash of its identifier as a response to areader query to maintain scalability at the server, and theback-end server sends a message using the updated identi-fier to the tag after getting the tag response. This schemealso has a problem of tracking as between valid sessionsthe tag identifier remains the same.Varying identifier may cause problem in ubiquitous

computing environment. To solve the problem, staticidentifiers are used in many authentication protocols.Molnar et al. [14] proposed a private authenticationscheme for library RFID systems. It uses a pseudorandomnumber and a shared secret key by the tag and the readerfor efficient authentication. This scheme does not ensureforward security since the tag’s identifier and the secretkey are static and the random number forwarded is inplain text which can be captured by an adversary. Rhee etal. [15] proposed challenge response-based RFID authen-tication protocol (CRAP) which is designed to use in ubi-quitous computing. However, this scheme requires (N/2+1) hash function computations in the database which isimpractical for large number of tags in ubiquitous com-puting. Choi et al. [16] proposed a one-way hash-basedLCAP (OHLCAP), which is suitable for ubiquitous envir-onment. Ha et al. [17] claim that OHLCAP suffers fromtraceability and impersonation attack. The authors alsoproposed a solution of using hash function to protectfrom traceability attack. Tsudik [18] described an RFIDidentification protocol that provides a basic level of tagidentification using time-stamps. Tsudik [18] also pro-posed two further schemes that provide tag authentica-tion. The schemes use monotonically increasing time-stamps for tracking-resistant tag authentication, andemploy a keyed hash function f.Karthikeyan and Nesterenko [19] proposed RFID

security protocol without computationally expensivecryptographic mechanisms and used simple matrix multi-plication. However, this protocol is vulnerable to DoSattack and intruder can try a brute-force matrix and keyguessing attack. Moreover, this scheme is not securefrom replay and tracking attack. Song and Mitchell (SM)[20] proposed an RFID authentication protocol and own-ership transfer protocol [21] to prevent all the attacksdiscussed so far. Although these protocols are efficient interms of storage and computation requirements, but theyare vulnerable to both tag impersonation attack andreader impersonation attack. Cai et al. [22] proposed arevised authentication protocol of SM [20] to eliminatethe problems in it without violation of any other securityproperties. The storage and computation requirementsare also comparable with the existing protocol.


Page 3 of 13

In the next two sections, two prominent protocolsLCAP [12] and OHLCAP [16] will be discussed in moredetail as they are more related to the proposed work.

3.1 LCAP approachLCAP scheme uses one-way hash function to protectthe privacy and security of the tag. The notations andsymbols used in LCAP operation are as follows [12]:h: {0, 1}* ® {0, 1}l is a one-way hash functionID: ID denotes identity of a tag and is a random value

in {0, 1}l.Data fields of a tag and a reader are initialized to the

following values:Tag: The data field of a tag is initialized to its own ID.Reader: A reader picks uniformly a random number r

in {0, 1}l.The data fields of a back-end database are initialized

to HaID, ID, TD and DATA.HaID: HaID value is the hash value of ID used for

identifying or addressing the tag.TD: TD-entry is used to trace previous data informa-

tion of a tag when loss of message occurs in the currentsession.DATA: DATA stores the information about an accessi-

ble tag.The back-end database maintains two rows; Prev for

the previous session and Curr for the current session.Each row contains HaID, ID, TD, and DATA fields. InPrev, the back-end database records HaID and ID in theprevious session. In Curr, it updates HaID and ID ofPrev. TD-field of Curr has HaID value of Prev and TD-field of Prev contains HaID-value of Curr. The protocolis shown in Figure 2.LCAP works as follows:1. A reader selects a random number r and sends a

Query and r to the tag.2. The tag computes HaID = h(ID) and h(ID||r) using r

and its ID and sends hL(ID||r) and HaID to the reader,where hL(ID||r) is the left half of h(ID||r).3. The reader sends hL(ID||r), r, and HaID to the

back-end database.4. The back-end database then compares if the value of

HaID in Prev is same as the value of HaID received fromthe reader. If successful, then the back-end database com-putes hR(ID||r) using r received from the reader and ID inPrev, where hR(ID||r) is the right half of h(ID||r). For thenext session, the back-end database computes and storesHaID = h(ID ⊕ r) and ID = ID ⊕ r in Curr. TD-field ofPrev is filled with current HaID = h(ID ⊕ r). Finally, theback-end database sends hR(ID||r) to the reader.5. The reader forwards hR(ID||r) to the tag.6. The tag checks hR(ID||r). If it matches, the tag

updates its ID to ID ⊕ r.

In LCAP scheme, ID is changed in each authentica-tion. So, it does not work in ubiquitous environment.Also mentioned earlier, it cannot overcome the trace-ability problem.

3.2 OHLCAP approachOHLCAP uses a static identifier and secrets and is sui-table for ubiquitous environment. It also uses a one-wayhash function for privacy and security of the tag. OHL-CAP requires an ID and a hash function h as in LCAP.Some additional fields are also required. GI is used as agroup index. K is a common secret used in all tags andS is a tag secret. The protocol computes three messages:A1 = K ⊕ c, A2 = ID + (GIi ⊕ r ⊕ c) mod (2l-1), andB = h(ID||(S ⊕ GIi)||(r ⊕ c)). BL and BR are the left andright half of B, respectively. c is used as a counter andinitialized to an arbitrary value. It is increased everytime a reader sends a query to the tag. The protocol isshown in Figure 3.OHLCAP works as follows [16]:Step 1: A reader selects a random value r and sends a

query with r to a tag.Step 2: The tag checks a random value r whether it is

all zero value or not.1. If r value is all zero, the tag sends “stop” message to

the reader and stop the protocol.2. Otherwise, the tag performs the following- The tag computes A1 = K ⊕ c, A2 = ID + (GIi ⊕ r ⊕ c)

mod (2l-1),B = h(ID||(S ⊕ GIi)||(r ⊕ c)) and sends A1, A2 and BR

to the reader, where BR is a right half of B,- Then, the tag increases the counter c which should

not exceed 2l - 1.If the counter c exceeds 2l - 1, it is initialized by

initial c.Step 3. After receiving from the tag,1. The reader forwards A1, A2, BR and r to the back-

end database.2. The back-end database computes c/= A1 ⊕ K and

ID/j = A2 − (GIj ⊕ r + c′) mod (2l − 1) using all group

indices GIj, j Î {1,...,n}3. The back-end database checks if one of computed

ID/j(∈{1.....n}) is matching to one of the stored IDs in the

back-end database. If this process succeeds, the back-

end database check if the GIj used to compute the ID/j

is equal to the group index GIi that contains the match-

ing ID/j .

- If this is successful, the database computes B=h(ID||(S ⊕ GIi)||(r ⊕ c)) using the matched ID.- Otherwise, the back-end database stops this process.


Page 4 of 13

4. Then, the back-end database authenticates the tagby matching the received value BR.5. The back-end database sends BL to the reader,

where BL is a left half of B. The reader forwards BL tothe tag.Step 4. The tag authenticates the reader by comparing

the received value BL.OHLCAP is an efficient approach in ubiquitous environ-

ment that uses one-way hash function for privacy andsecurity. However, Ha et al. [17] find its security weaknessand proposes an enhanced OHLCAP (EOHLCAP)scheme. The authors showed that this protocol is vulner-able to traceability attack and impersonation attackbecause of its special property, namely, cc = cp + 1 for twosuccessive sessions. The adversary eavesdrops the mes-sages transmitted between the tag and the reader andobtains the successive A1

p and A1c where A1

p = K ⊕ cp,A1

c = K ⊕ cc. Afterwards, it computes A = A1p ⊕ A1

c = cp

⊕ cc = cp ⊕ (cp + 1) and removes the secret key K in thisequation. In this way, the adversary can trace the tag’sholder. Similarly, the adversary can implement impersona-tion attack by selecting special random number rc = rp +1. If rc ⊕ cc = rp ⊕ cp then the value of Bp is equal to Bc

since B = h(ID||(S ⊕ GIi)||(r ⊕ c)). To overcome the secur-ity weakness, Ha et al. [17] add a pseudorandom numbergenerator to generate a random number and removes thecounter in the tag to prevent traceability attack.

4. Our contributions: secure ubiquitousauthentication protocols (SUAP)OHLCAP is not protected against traceability and imper-sonation attacks. It requires much storage in the tag sideand database side. EOHLCAP eliminates the privacy pro-blem in OHLCAP with reduced amount of storages inthe tag side and the database side but it takes many hashoperations to locate the tag in the database [17]. LCAP

Figure 2 The LCAP protocol.

Figure 3 The OHLCAP protocol.


Page 5 of 13

requires less storage in the tag and reduces search time inthe database but it is not suitable for ubiquitous comput-ing environment as the ID is updated after each authenti-cation process. To overcome these problems, threeSecure Ubiquitous Authentication Protocols SUAP1,SUAP2 and SUAP3 for RFID systems are proposed inthis section. SUAP1 is a simple RFID authentication pro-tocol that will work in a system where the number oftags is small. The preliminary version of SUAP1 is pre-sented in [23]. The final version of SUAP1 is improvedover the preliminary version with privacy and securityenhancement. SUAP2 and SUAP3 are the extension ofSUAP1 and work in a large group-based system whereRFID tags are divided into several groups. These proto-cols are low-cost and secured based on challenge-response method using a one-way hash function, hash-address as a search index. The proposed protocols com-bine the features of the hash address and hash functionof the LCAP protocol and the ubiquitous property ofOHLCAP protocol and overcome the existing privacyand security problems in these two schemes. The advan-tage of hash address is to reduce the search time in thedatabase. The notations used in the SUAP1, SUAP2 andSUAP3 protocols are as follows:

Notationsh A one-way hash function, h:{0,1}* ® {0,1}l

ID Tag identifierGID Group identifierHad Hash address h(ID)N Number of tagsn Number of groupsmi Number of tags in the ith groupl The length of an identifier. The value of l is assumed

96 bits.r1 Random number in {0,1}l

r2 Random number in {0,1}l

⊕ XOR operator|| Concatenation operator¬ Assignment operator

4.1 SUAP1SUAP1 protocol uses a static identifier and a secret num-ber, hash functions and two random numbers. The objec-tive of this protocol is to preserve the ubiquitous propertyof the protocol and is suitable for a small number of tags.In this case a common secret is stored in all the tags. Tworandom numbers make the hash response unpredictableso that it is impossible to perform impersonation and tra-cing attack by a malicious reader. The system set-up ofSUAP1 protocol is as follows:System Set-upTag: Each tag contains the following fields:ID: Tag Identifier

x: Common secret numberReader: Reader does not contain any field.Back-end database: Back-end database contains the

following fields:ID: Tag identifierx: Common secret numberHad: Hash address h(ID)When a tag enters into the range of a reader, the

reader can initiate the authentication protocol. The pro-tocol is shown in Figure 4. The steps in the authentica-tion protocol are as follows:1. The reader generates a random number r1 and

sends it to the tag.2. Receiving the number r1 the tag generates another

random number r2.If r1 or r2 is 0 stop protocolOtherwise, the tag performs the following computa-

tions

y ← h(ID) + (r1 ⊕ r2)

t = r2 ⊕ x. t is a temporary variable here.Computes h(ID||r1||r2)The tag then sends the value of y, t and hL to thereader.Where hL is the left half of h(ID||r1||r2)

3. The reader then sends the value of y, t and r1 to theback-end database.4. The back-end database will calculate the following.

r2 = t ⊕ x

h(ID) ← y − (r1 ⊕ r2)

h(ID) is the address of the record containing the IDwhere Had = h(ID)Access the address HadRetrieves the ID from the recordThen the back-end database computes h(ID||r1||r2)If hL matches, the tag is authenticatedSends hR to the reader, where hR is the right half of h

(ID||r1||r2)5. The reader forwards the hR to the tag6. If the received hR matches, the reader is

authenticated.The protocol is simple and works for an organization

having small number of tags (i.e. several thousands). Tworandom numbers make the response anonymous. Theproblem in this simple protocol is that it maintains acommon secret for all the tags in the database. It can bea problem to manage this secret in a large organizationhaving different departments. Having only a single secret


Page 6 of 13

x for all the tags it cannot ensure privacy and security fora large organization having millions of tags in manydepartments.

4.2 SUAP2To overcome the problem in SUAP1 of having only onesecret for all the tags, SUAP2 maintains groups for thedifferent departments and different types of products. Inaddition to the ID and secrets in the SUAP1, one extravariable GID is needed in the tag side and the databaseside. It represents a group identifier. This is also a secretnumber. The database divides the tags into n groupsand the protocol is shown in Figure 5. The only differ-ence between the SUAP1 and SUAP2 is that SUAP2maintains the groups of the tags and there is a commonsecret for each group. In this case one secret value x isused for all the tags in a group. It will reduce the tagsearch time in the database. This is suitable for the casewhere the tags of the same group are not distributed invarious places. It ensures better security but requiresless computation and search times in the database. Thesystem set-up of SUAP2 protocol is as follows:System Set-upTag: Each tag contains the following fields:

ID: Tag Identifierx: Secret number for a groupGID: Group identifierReader: Reader does not contain any fields.Back-end database: Back-end database contains the

following fields:ID: Tag identifierx: Secret number for a groupHad: Hash address h(ID)GID: Group identifierThe steps in the authentication protocol are as

follows:1 .The reader generates a random number r1 and

sends it to the tag.2 .Receiving the number r1 the tag generates another

random number r2.if r1 or r2 is 0 stop protocolOtherwise, the tag performs the following computa-

tions

y ← h(ID) + (r1 ⊕ r2 ⊕ GID)

t = r2 ⊕ x

Figure 4 The proposed SUAP1 protocol.


Page 7 of 13

Computes h(ID||r1 ||r2||GID)

The tag then sends the value of y, t and hL to thereader.Where hL is the left half of h(ID||r1||r2||GID)3. The reader then sends the value of y, t and r1 to the

back-end database.4. The back-end database calculates the following for

all GIDs

r2 = t ⊕ x

h(ID) ← y − (r1 ⊕ r2 ⊕ GID)

h(ID) is the address of the record containing the IDwhere Had = h(ID)Lookup the address HadRetrieves the ID from the recordThen the back-end database computes h(ID||r1||r2||

GID)If hL matches, the tag is authenticated

Sends hRto the reader, where hR is the right half of h(ID||r1||r2||GID)5. The reader forwards the hR to the tag6. If the received hR matches, the reader is

authenticated.

4.3 SUAP3The SUAP3 enhances the SUAP2 in efficiency by remov-ing the secret x from the tag and the database. It keeps thegroup variable GID in the tag and the database as inSUAP2. It represents a group identifier and also a secretnumber. The database divides the tags into n groups andthe protocol is shown in Figure 6. The only differencebetween the SUAP2 and SUAP3 is that SUAP3 does notuse the secret x for the tag and the database. The group-based structure is used for the searching tags in the data-base. The privacy will not be hampered due to the elimi-nation of the secret x as the GID works as an l bits secretwhich is also difficult to guess by the adversary. It reducesthe number of searches significantly. Since the hash func-tion is one-way it still gives the same security protection



Page 8 of 13

to the ID. The system set-up of SUAP3 protocol is asfollows:System Set-upTag: Each tag contains the following fields:ID: Tag IdentifierGID: Group identifierReader: Reader does not contain any fields.Back-end database: Back-end database contains the

following fields:ID: Tag identifierHad: Hash address h(ID)GID: Group identifierThe steps in the authentication protocol are as

follows:1. The reader generates a random number r1 and

sends it to the tag.2 .Receiving the number r1 the tag generates another

random number r2.if r1 or r2 is 0 stop protocolOtherwise, the tag performs the following computa-

tions

t ← GID ⊕ r2

y ¬h(ID) ⊕ (GID+(r1 ⊕ r2))and computes h(ID||r1||r2||GID)The tag then sends the value of y, t and hL to the

reader.Where hL is the left half of h(ID||r1||r2||GID)3. The reader then sends the value of y, r1 and t to the

back-end database.4. The back-end database calculates the following for

all GIDs

r2 ← GID ⊕ t

Hadi ← y ⊕ (GID + (r1 ⊕ r2))

Hadi is the address of the record containing the IDwhere Hadi = h(ID)

Lookup the address Hadi in the database



Page 9 of 13

If Hadi = Had for any ID retrieves the ID from therecordThen the back-end database computes h(ID||r1||r2||

GID)If hL matches, the tag is authenticatedSends hR to the reader, where hR is the right half of h

(ID||r1||r2||GID)5. The reader forwards the hR to the tag6. If the received hR matches, the reader is

authenticated.

5. Evaluation of the proposed protocolsThe protocols are analysed in two ways: first is the privacyand security analysis and the second one is the efficiencyanalysis.

5.1 Privacy and security analysisThe privacy and security of the proposed protocols areanalysed against various threats introduced in Section 2;information leakage of a tag, location privacy, imperso-nation and replay attack, DoS attack and traceability.The privacy and security analysis against the identifiedthreats is outlined as follows:• Information leakage: In SUAP1 protocol, the adver-

sary must be authenticated to access any sensitive infor-mation from a tag. To authenticate the systems anadversary must know ID, x and r2 to access any informa-tion from the tag. The SUAP2 protocol has additionalGID secret to make the response more unpredictable.The SUAP3 uses the GID as a secret instead of x. Thecombination of r1 and r2 makes the response y so unpre-dictable that the adversary can only guess the value of hR

and hL. The advantage of an adversary is at most12l,

which is negligible for l = 96 or more.• Location privacy: The responses from the tags are

always changing in every new session. The value of t, yand hL cannot be linked with any particular tag inSUAP1, SUAP2 and SUAP3. The protocols ensure loca-tion privacy by using new values of r1 and r2 each time.Even if a malicious reader sends the same random valuer1 all the times, a tag transmits the refreshed values thatare refreshed by r2 and secret value x or GID.• Impersonation and replay attack: The protocols

work in a complete challenge-response fashion by mutualauthentication. When a tag reaches within the range of areader, the reader sends queries with a random numberto the tag. An adversary may also request a tag with arandom number. Without knowing ID, hash function,secret x and random number r2 generated by the tag, theadversary cannot find the response y. In SUAP2 andSUAP3, the group identifier GID also makes the responsemore unidentifiable. For each session the tag gives a newvalue of y that is totally indistinguishable and different

from other sessions. So, impersonation and replay attackis nearly impossible in practical scenario. Impersonationand replay attack could be possible if the attacker waitsfor a matched response (same hL) from the tag andreplays the hR to authenticate itself. Such repeating hashresponse could only be reproduced once in 2l responses(where the responses are uniformly random in nature) asthe length of the hash response is l.• DoS: Since the ID and the secret are never changed

in the proposed protocols, if the attacker prevents thelast flow to the tag from the reader it will not cause anyproblem of desynchronization.• Traceability: The schemes SUAP1, SUAP2 and

SUAP3 are fully protected from future forward andbackward traceability. The attacker has no access overr2, and the combination of r1 and r2 and the hash func-tion. The responses are always anonymous and theattacker does not know the value of the ID and thesecret. So the previous, present and future interactionsare all indistinguishable. The attacker cannot identifythe past and future interactions.

5.2 Efficiency analysisFor efficiency analysis the storage, communication andcomputation cost of the proposed protocols are comparedwith other protocols in Table 1. The storage cost indicatesthe storage requirements in the tag, database and thereader. The communication cost means the length of bitsthe tag and the reader send during the authentication pro-cess. The computation cost is the maximum computationsrequire in the tag and the database during the executionof the authentication protocol.In Table 1, LCAP [12] performs better than other pro-

tocols for almost all criteria but it suffers from traceabil-ity problem and it is not ubiquitous. The proposedprotocols show better performance because it requiresless tag side and database side storage and gives protec-tion from all the known attacks. The storage requirementfor the tag and the database are 2l and 3l, respectively, inSUAP1 and SUAP3, whereas OHLCAP [16] requires 5land 4l, respectively. CRAP [15] uses only 1l storage for atag but it needs (N/2+1) hash operations which is practi-cally unsuitable because in ubiquitous environment thevalue of N is extremely high and it does not divide thetags into groups. It requires many hash operations andhence requires long search time to obtain the tag infor-mation in the database. Similarly, the EOHLCAP [17]requires 3l storages in the tag side and 3l storages in thedatabase side but requires a large number of hash opera-tions for a group. This is also high for a group having alarge number of tags. The main computation costs in thetags are the hash operations. OHLCAP requires 1 hashoperations and additional operations A1 which are fourXOR operations in the tag. EOHLCAP also requires 1


Page 10 of 13

hash operation and additional operations A2 which aretwo XOR operations in the tag. The proposed protocolsrequire two one-way hash operations in each tag. SUAP1requires additional operations A2 which are two XORoperations. Both SUAP2 and SUAP3 require additionaloperations A3 which are three XOR operations in the tag.In each protocol, the tag requires one addition operation.Since both XOR-operation and addition operation arevery simple bit operation, hardware embodiment of theseoperations is simpler than one-way hash function. There-fore, the proposed protocols are suitable to a low-costRFID tag systems. ε1, ε2, ε3, ε4 and ε5 are additionaloperations other than hash functions in the correspond-ing databases as shown in Table 1.

6. Simulation expeeriment and evaluationTo validate the proposed protocols, simulation experi-ments have been conducted. The privacy and securityprotections are ensured with the hash functions and ran-dom numbers. A hash function is a one-way function forwhich the possibility of information leakage is negligiblefrom the hash response. In the simulation experiment ltakes different values, i.e. 16, 32, 64 and 96. However,many combinations of the hash inputs can give the sameresponse that can be used by the adversary to imperso-nate the RFID systems through replay attack. This is themain reason to conduct the simulation. The objective ofthe simulation program is to verify the protection forimpersonation, replay attack and location privacy. Itchecks the response y if it recurs more than once for onetag during the attacks by an adversary in a given numberof attempts. If the same response is generated for anygiven random number pair it can be used by the adver-sary for impersonation and replay attack and the locationprivacy of the tag may be broken.We simulate the impersonation and replay attack

using Monte Carlo simulation method. To replay thehash value h (hL|| hR) for a particular ID and GID, hashresponses are generated for 1011 times with the same ID

and GID and different set of r1 and r2. The hash valuegenerated at ith attempt hi is considered vulnerable forimpersonation and replay attack if hi = h. The generatedrandom sequences for r1 and r2 are tested for uniformrandom distribution using chi square test to ensure thevalidity of the simulation using Monte Carlo method.The number of matches found is recorded to generatethe performance results. For a particular data length tensimulations are executed using different set of randomnumbers and the possible impersonation and replayattacks are observed in the simulation. The averages ofthe successful replay attacks are reported in Table 2.The output of a hash function is the same for the same

random number pair. Some different random numberpairs may also give the same response. The objective is toensure unique response for different inputs of randomnumber pair so that an adversary is unable to use anyresponse at later stage to access the tag or the reader. Weselect one tag and generate a response for two randomnumbers as in SUAP1, SUAP2, SUAP3 and EOHLCAP.Then the program attempts 1011 times to check that howmany times the same response is generated. This is therole of an adversary. In each attempt a new response isgenerated with a new pair of random number. The aver-age number of times a similar response generated inSUAP1, SUAP2, SUAP3 and EOHLCAP are given inTable 2. The expected number of matches are alsoreported in a column to compare the obtained result.The value of the expected number of matches is calcu-lated using the analysis of repeating hash response pre-sented for replay attack in Section 5.1 and it is calculatedas 1011/2l. All the selected protocols show almost similarresults. The number of matches represents the success ofthe adversary to attack the tag. The experiment was con-ducted for 16, 32, 64 and 96 bits of secret value, randomnumber, ID and hash response. The success of the adver-sary was found for 16 and 32 bits since many occurrencesof the same response are found. There was no recurrenceof the same response for 64 and 96 bits for the specified

Table 1 Efficiency analysis

Efficiency criteria LCAP CRAP OHLCAP EOHLCAP Proposed protocols

SUAP1 SUAP2 SUAP3

Storage Tag 1l 1l 5l 3l 2l 3l 2l

Reader - - - - - - -

Database 6l 1l 4l 3l 3l 4l 3l

Computation Tag 2h 3h 1h(+A1) 1h(+A2) 2h (+A2) 2h (+A3) 2h (+A3)

Reader - - - - - - -

Database 1h (N2

+ 1)h 1h+ε1 (mi + 1

2)h + ε2 1h+ ε3 1h+ ε4 1h+ ε5

Communication Tag-to-Reader 1.5l 2l 2.5l 2.5l 2.5l 2.5l 2.5l

Reader-to-tag 0.5l 0.5l 0.5l 0.5l 0.5l 0.5l 0.5l

A1,A2,A3, additional XOR and add operations in the tag; ε1, ε2, ε3, ε4, ε5, small operations in the database


Page 11 of 13

number of attempts, i.e. 1011 times. We did not performsimulation experiments for LCAP, OHLCAP andYA_TRAP* protocols since these are not protectedagainst all the privacy threats [16-18]. CRAP is also notincluded since it requires many hash operations [16].The simulation program has been developed using

Turbo C++ compiler and the experiment was conductedin a desktop computer with 2.93GHz Intel (R) Core 2Duo Processor, 3.46 GB memory and Windows XP pro-fessional Operating System.According to the privacy and security analysis in Sec-

tion 5.1 and the simulation results the summary of theprivacy and security properties are given in Table 3.The privacy and security properties of the proposed

protocols are compared with five other schemes. The fiveschemes were chosen because all of these protocolsinvolved tag authentication. LCAP involves secret updatebut other four protocols CRAP, OHLCAP, EOHLCAPand YA_TRAP* do not support secret update. Proposedprotocols are more similar to CRAP, OHLCAP, EOHL-CAP and YA_TRAP* than LCAP since all these protocolssupport authentication in ubiquitous computing environ-ment and do not update the identifier and secret value.Table 3 shows that the proposed protocols provided pro-tections from all the identified privacy and securitythreats.

7. ConclusionThree efficient and secure authentication protocolsSUAP1, SUAP2 and SUAP3 are proposed to protect priv-acy and security for the low-cost RFID system in ubiqui-tous computing environment. The privacy and securityproblems of LCAP and OHLCAP are overcome in these

protocols. SUAP1 is suitable for the organization havingsmall number of tags. SUAP2 and SUAP3 are suitable formedium and large organizations having many depart-ments. All the proposed schemes require only two one-way hash function operations and avoid large number ofhash computations in the database and hence are very effi-cient. The tag search time in the database is reduced byusing the hash value as the address of the correspondingtag. EOHLCAP also overcomes the problem in OHLCAPand protects the RFID system from most of the attacksbut it requires many complex hash operations. The pro-posed protocols ensure privacy and security protectionsfrom all the identified threats. The storage requirementsin SUAP1 and SUAP3 are also less than OHLCAP andEOHLCAP protocols. The comparison shows that theproposed protocols are both secure and efficient thanother schemes and have practical advantages over thembecause these are simple and provide a larger range ofprivacy and security protections for low storage andcomputations.

Competing interestsThe authors declare that they have no competing interests.

Received: 14 July 2011 Accepted: 8 March 2012Published: 8 March 2012

References1. A Jules, S Garfinkel, R Pappu, RFID privacy: an overview of problems and

proposed solutions. IEEE Security Privacy. 3(3), 34–43 (2005). doi:10.1109/MSP.2005.78

2. A Jules, RFID security and privacy: a research survey. IEEE J Sel AreasCommun. 24(2), 1–19 (2006)

3. R Want, An introduction to RFID technology. IEEE Pervasive Comput. 5,25–33 (2005)

Table 2 Attacker’s success for one tag

Number Number of attempts Data length l (bits) Expected number of matches Average number of matches (attacker’s success)

EOHLCAP SUAP1 SUAP2 SUAP3

1 1011 16 1525878.91 1532979.81 1536442.83 1535009.84 1526520.77

2 1011 32 23.28 21.34 20.30 21.20 20.81

3 1011 64 5.42 × 10-9 0 0 0 0

4 1011 96 1.26 × 10-18 0 0 0 0

Table 3 Privacy and security comparisons

Property LCAP CRAP OHLCAP EOHLCAP YA_TRAP* SUAP1 SUAP2 SUAP3

Information privacy Y Y Y Y Y Y Y Y

Location privacy N Y Y Y Y Y Y Y

Impersonation A Y N Y Y Y Y Y

Replay attack Y Y N Y Y Y Y Y

Message interception Y Y Y Y N Y Y Y

Backward traceability Y Y N Y N Y Y Y

Forward traceability Y Y N Y N Y Y Y

Y, provided; A, provided under assumption; N, not provided


Page 12 of 13

4. BS Prabhu, X Su, H Ramamurthy, C Chu, R Gadh, WinRFID-a middleware forthe enablement of radio frequency identification (RFID) based applicationsUCLA, in Wireless Internet for the Mobile Enterprise Consortium (WINMEC), LosAngeles, CA, 1–23(2003)

5. http://www.EPCglobalinc.org. EPCglobal Web site, 2005. Referenced 20056. S Sarma, S Weis, D Engels, Radio-frequency identifcation: security risks and

challenges. CryptoBytes. 6(1), 2–9 (2003)7. A Juels, RL Rivest, M Szudlo, The blocker tag: selective blocking of RFID tags

for consumer privacy, in the 8th ACM Conference on Computer andCommunications Security, (ACM Press, Washington DC, USA, 2003), pp.103–111

8. SA Weis, SE Sarma, RL Rivest, DW Engels, Security and privacy aspects oflow-cost radio frequency identification systems, in Security in PervasiveComputing, vol. 2802. (Lecture Notes in Computer Science, 2004), pp.201–212. doi:10.1007/978-3-540-39881-3_18

9. H Chien, C Chen, Mutual authentication protocol for RFID conforming toEPC class 1 generation 2 standards. Comput Standard Interface. 29(2),254–259 (2007). doi:10.1016/j.csi.2006.04.004

10. M Ohkubo, K Suzki, S Kinoshita, Cryptographic approach to “privacy-friendly” tags, in RFID Privacy Workshop, MIT, MA, USA http://rfidprivacy.media.mit.edu/2003/papers/ohkubo.pdf (November 2003)

11. D Henrici, P Muller, Hash-based enhancement of location privacy for radio-frequency identification devices using varying identifiers. in InternationalWorkshop on Pervasive Computing and Communication Security -PerSec 2004,ed. by Sandhu R, Thomas R IEEE Computer Society, Orlando, FL,USA149–153 (March 2004)

12. SM Lee, YJ Hwang, DH Lee, JI Lim, Efficient authentication for low-cost RFIDsystems, in ICCSA05, LNCS, vol. 3480. (Springer-Verlag, 2005), pp. 619–629

13. T Dimitriou, A lightweight RFID protocol to protect against traceability andcloning attacks, in Conference on Security and Privacy for Emerging Areas inCommunication Networks - SecureComm, IEEE Athens, Greece, pp. 59–66(September 2005).

14. D Molnar, D Wagner, Privacy and Security in Library RFID: Issues, Practices,and Architectures, in Conference on Computer and Communications Security,ed. by Pfitzmann B, Liu P (ACM CCS, Washington, DC, USA, 2004), pp.210–219. ACM Press

15. K Rhee, J Kwak, S Kim, D Won, Challenge-response based RFIDauthentication protocol for distributed database environment. SPC 2005,LNCS 3450 70–84 (2005)

16. EY Choi, SM Lee, DH Lee, Efficient RFID authentication protocol forubiquitous computing environment. Embed Ubiquit Comput. 3832,945–954 (2005)

17. J Ha, S Moon, JMG Nieto, C Boyd, Security analysis and enhancement ofone-way hash based low-cost authentication protocol. Emerging TechnolKnowl Disc Data Mining. 4819, 574–583 (2007). doi:10.1007/978-3-540-77018-3_57

18. G Tsudik, A family of dunces: trivial RFID identification and authenticationprotocols, in 7th International Symposium on Privacy Enhancing Technologies-PET 2007, Lecture Notes in Computer Science, vol. 4776, ed. by Borisov N,Golle P (Ottawa, Canada, 2007), pp. 45–61. Springer-Verlag, Berlin

19. S Karthikeyan, N Nesterenko, RFID security without extensive cryptography,in Workshop on Security of Ad Hoc and Sensor Networks - SASN’05,(Alexandria, Virginia, USA, 2005), pp. 63–67. ACM Press

20. B Song, CJ Mitchell, RFID authentication protocol for low-cost tags,(WiSEC’08, Alexandria, Virginia, USA, 2008), pp. 140–147

21. B Song, RFID tag ownership transfer, in 4thWorkshop on RFID Security,RFIDsec08, (Budaperst, Hungary, 2008), p. 16

22. S Cai, Y Li, T Li, RH Deng, Attacks and improvements to an RFID mutualauthentication protocol and its extensions, in WiSec’09, (Zurich, Switzerland,2009), pp. 51–58

23. MM Morshed, H Yu, A Atkins, SI Ahamed, MM Akbar, A two-way RFIDauthentication protocol in pervasive computing, in The 16th InternationalConference on Automation and Computing (ICAC’10), (Birmingham University,UK, 2010), pp. 164–169

doi:10.1186/1687-1499-2012-93Cite this article as: Morshed et al.: Secure ubiquitous authenticationprotocols for RFID systems. EURASIP Journal on Wireless Communicationsand Networking 2012 2012:93.

Submit your manuscript to a journal and benefi t from:

7 Convenient online submission

7 Rigorous peer review

7 Immediate publication on acceptance

7 Open access: articles freely available online

7 High visibility within the fi eld

7 Retaining the copyright to your article

Submit your next manuscript at 7 springeropen.com


Page 13 of 13

http://www.EPCglobalinc.org

http://rfidprivacy.media.mit.edu/2003/papers/ohkubo.pdf

http://rfidprivacy.media.mit.edu/2003/papers/ohkubo.pdf

http://www.springeropen.com/

http://www.springeropen.com/

Documents

RESEARCH Open Access Secure ubiquitous authentication ... · Keywords: RFID, security, authentication protocol, ubiquitous, hash address 1. Introduction Radio frequency identification